In an increasingly complex and interconnected digital environment, the protection of critical infrastructures and essential services has become a strategic axis for public and private institutions.
Cyber threats not only affect the integrity of data or systems, but also put at risk the trust of citizens and the stability of the market. Faced with this scenario, the European Union has deployed a solid and cohesive regulatory architecture that seeks to strengthen digital resilience in all key sectors. Two of its main pillars are the NIS2 Directive and the DORA Regulation, legal frameworks that mark a milestone in the evolution of the European approach to cybersecurity.
NIS2 Directive: A Multisectoral Approach to Comprehensive Cybersecurity
Directive (EU) 2022/2555, also known as NIS2, expands and strengthens the first NIS Directive, adopted in 2016. This update not only expands the number of sectors and entities affected, but also imposes more rigorous obligations in terms of risk management, incident reporting and governance. It aims to harmonise levels of cybersecurity in Member States, establish more effective oversight mechanisms and foster a culture of accountability and prevention in European organisations.
Transposition and application in Spain
In Spain, the transposition of the NIS2 Directive advanced in January 2025 with the opening of a public consultation on the draft law. Although the Directive entered into force at European level in January 2023, its full effectiveness depended on its incorporation into the national legal framework before 17 October 2024. The effective application would start from 18 October of that same year.
Although the transposition had not yet been completed on that date, Spain had a solid base thanks to the National Security Scheme (ENS), established by Royal Decree 311/2022. This technical framework already included many of the requirements raised by NIS2. In addition, the National Cryptological Center (CCN) developed the CCN-STIC 892 guide (PCE-NIS2), which aligns the 73 technical measures of the ENS with the ten groups of measures of Article 21 of the NIS2 Directive.
Obligations and levels of requirement
NIS2 requires the affected entities to implement measures that guarantee the security of networks and information systems. These measures must be proportionate to the level of risk and cover areas such as governance, cyber hygiene, security in the supply chain, incident management and continuous training of personnel.
The Directive distinguishes between essential entities and important entities. The former operate in highly critical sectors, such as energy, healthcare or digital infrastructures. The second, in sectors that are also critical but with less systemic impact. Although both categories must comply with the same general measures, the level of requirement, control and sanction is higher for essential entities. In Spain, the CCN-STIC 892 guide defines different declarations of applicability for each category, facilitating adaptation according to the profile of the organization.
DORA Regulation: Operational Resilience for the Financial Sector
Regulation (EU) 2022/2554, known as DORA (Digital Operational Resilience Act), establishes a mandatory regulatory framework for financial sector entities to strengthen their ability to prevent, resist, respond and recover from technological incidents and cyberattacks. Its application is direct in all Member States and seeks to consolidate a uniform standard of digital resilience throughout the European financial ecosystem.
Direct application and sanctioning regime in Spain
In Spain, the Council of Ministers approved on 18 December 2024 the draft Law on Digitisation and Modernisation of the Financial Sector, which, among other things, develops the sanctioning regime applicable to DORA. This law classifies infractions as minor, serious and very serious, establishing sanctions that can reach 10 million euros and the disqualification of managerial positions for up to ten years.
The competent authorities designated for the supervision and sanction of the different financial institutions are:
- Banco de España: for credit institutions.
- Directorate-General for Insurance and Pension Funds: for insurers and pension funds.
- National Securities Market Commission (CNMV): for investment services and financial markets.
In addition, INCIBE-CERT acts as a technical support body, offering prevention, incident response and specialized training services.
Technical and operational requirements
The DORA Regulation establishes a series of detailed obligations, structured in five pillars:
- ICT risk management: development of a comprehensive framework that includes the identification of critical assets, vulnerability analysis and establishment of controls.
- Incident management and reporting: obligation to establish channels for detection, recording, classification and reporting of relevant incidents.
- Digital Operational Resilience Testing: Periodic testing, including simulations and penetration testing every three years.
- Third-party risk management: evaluation and control of ICT providers, with special vigilance on those considered critical. Contracts with safety clauses and exit plans are required.
- Threat intelligence sharing: promoting collaboration and the exchange of technical information with other financial institutions.
Evidence of compliance and certification
In the case of NIS2, compliance can be demonstrated by certification under the ENS, which is a certifiable legal standard. There are entities accredited by ENAC and audit bodies recognized by the CCN that verify compliance. The CCN-STIC 892 guide is the key tool to adapt the requirements to the characteristics of each organization.
In the context of DORA, although there is no mandatory formal certification, the preparation of rigorous documentation supporting compliance is required: resilience test reports, incident logs, internal audits and auditable contracts with external suppliers.
Both regulations align with international standards such as ISO 27001 or the General Data Protection Regulation (GDPR), generating synergies that allow a more integrated approach to technology risk management and regulatory compliance.
Institutional support ecosystem in Spain
Spain has a mature institutional ecosystem to accompany organizations in their adaptation to these regulations:
- The National Cryptological Center (CCN) coordinates the public CSIRTs and publishes guides such as the PCE-NIS2.
- INCIBE-CERT offers technical assistance to companies in the private sector, including asset surveillance, simulation exercises and advice.
- The Cybersecurity Coordination Office contributes to the protection of critical infrastructures from the Ministry of the Interior.
These entities offer resources, training and guidance to facilitate the transition to a proactive and effective compliance environment.
From obligation to opportunity: strengthening digital trust
The NIS2 Directive and the DORA Regulation should not be understood solely as instruments of control or legal imposition. They represent an opportunity for European organizations to strengthen their digital maturity, reduce their exposure to risks and build an organizational culture focused on resilience, prevention and continuous improvement.
Integrating these frameworks into the business strategy implies raising the standards of data protection, business continuity and technological governance, which translates into sustainable competitive advantages. Regulatory compliance ceases to be a reactive obligation to become a vector of transformation, innovation and reputation.
In short, adapting to NIS2 and DORA is much more than a regulatory necessity: it is an investment in the future of the organisation and a direct contribution to the stability and security of the European digital environment.
